Firewall Wizards mailing list archives
Re: IP transparent proxies (source).
From: "Magossa'nyi A'rpa'd" <mag () bunuel tii matav hu>
Date: Thu, 6 Nov 1997 08:18:42 +0100
[ I guess the last questions are relevant to firewall-wizards ]
I've been building a firewall based on Linux, and I'd like to share a couple of neat little things that I've done. They're not commercial-quality or anything, but they're pretty slick, and do their job well.
A very needed project. I don't have much free cicles, but I am ready to spend some on it. I have a half-done central configuration tool to contribute, plus those cicles.
I've been really interested in IP_TRANSPARENT_PROXY stuff, and have made two tools that are really useful for taking advantage of it. The first is tplug-gw, which is based on the fwtk plug-gw, and can
As you have already noticed, playing with fwtk code not a good idea at all. It's cool and good but copyrighted. Reason: We have a _big_ intranet and decided to segment it with firewalls. The firewall of choice is TIS Gauntlet, partly because fwtk. I thought we will install Gauntlet to the most important places, and fwtk to the rest, and get support for both from our local support company. They told me, that they just can't give support for fwtk because copyright reasons (my reading of the copyright wasn't exactly that, but it's another issue). If there would be a free "fwtk", this wouldn't be a problem at all. Be sure not to do the same mistake which the KDE people did.
TCP OOB attacks, fragmentation attacks, etc. I'm not including the source here yet, because I'm not sure if I'm allowed to redistribute it, according to the fwtk license. I might just re-write it from scratch, as it isn't too complicated, and then it could be released without problems.
Let's rewrite it from scratch. I guess transproxyd would be a nice starting point. I would like if the configuration would be as TISish as copyrightwize possible. And If we could implement a way to define the protocols in an intuitive way, and build the proxies partly with bison and yacc, it could make building new proxies more easy. (And modified versions, as I guess every one of us have another view on the http-gw issue. Should it allow only standard html? What extensions to allow? What to do with java/activex?) It is also an opportunity to handle policies depending on source _and_ destination. With Gauntlet it is a little tricky to do in a clean way. Questions: I am trying to find problems with the security of bison-generated proxyes. I couldn't find one, could someone point out some? In what extent it is OK to use the same configuration method as TIS? What firewall wizards regard as allowable html? --- GNU GPL: csak tiszta forrásból
Current thread:
- IP transparent proxies (source). Steve Kann (Nov 04)
- Re: IP transparent proxies (source). -= ArkanoiD =- (Nov 07)
- Re: IP transparent proxies (source). Magossa'nyi A'rpa'd (Nov 07)
- Re: IP transparent proxies (source). -= ArkanoiD =- (Nov 08)
- Re: IP transparent proxies (source). Mike Shaver (Nov 08)
- Re: IP transparent proxies (source). Joseph S. D. Yao (Nov 10)